My First year in Bug Bounty 👨‍💻

Hello all, In this write-up I summarizes my year in bugbounty on all big platform, self hosted and all the numbers, bugs submitted, achievements and little guidance in this writeup. I am writing this writeup because I want to track myself where I am?. So let’s get started.

credit: Hackerone

If you read my write-up:

My Journey of Getting My First Valid Bug

In this write-up I told you my journey like when I started learning cybersecurity, when I jump into bugbounty and how I achieve my first valid bug and what methodology I used to find my first valid bug. You can read and follow the steps.

Now let’s come to the point.

1. When I Started?

I perfectly started my bug bounty journey on Feb 2024. In this time I learn a vulnerability and then try to hunt on the real world targets and so on and I develop a methodology and it worked for me and I got my first valid bug and then the motivation boost and I move forward and forward.

2. All big Platforms stats

In this section, I will show you the stats of the platform which I used this year and my performance, points and all things. So let’s start with

1. Hackerone: Till now I have submitted 10 bugs to this platform and sadly non of them was triaged 😥

Hackerone

In which,

7 bugs were Duplicate

3 bugs were Informative

I know not that much impressive profile on Hackerone even I have -5 signal on Hackerone For what No idea 😶

Hackerone

And this was the graph of the year

graph of Hackerone

2. Bugcrowd: Till now, I have submitted total 13 bugs to this platform and this platform has some better stats in comparision with Hackerone.

Bugcrowd

And as you can see from above photo,

8 bugs were Rejected,

2 bugs were Duplicate,

3 are Accepted in which 2 were P5 and 1 was P4

And as an achievement in this platform I have total 3 HOF for finding a valid bug 🥳.

Note: all are vdp and I tried one BBP in which I submitted a bug which was marked as Out of scope and as per the guidelines I got -1 point from that program sadly 😥.

Bugcrowd Profile

And this are the stats in this platform:

Bugcrowd stats

3. Intigrity: Till now, I have submitted total 6 bugs to this platform.

Integrity

in which,

3 bugs were closed as Out of scope,

3 bugs were closed as Duplicate

but I gain points for Duplicate bugs also so as a result I am currently holding 12 points because all duplicate bugs are Medium severity level so I got 4 points each 🥳 and as a result I also got HOF 🤩

Integrity profile

4. Comolho: Who don’t know about this platform this is a indian company which is a platform for bug hunters this is also nice platform. I have totally submitted 6 bugs to this platform and for that I have 660 reward points also for solving CTFs and currently I am in Top 5% in this platform as this is new one so less reports are submitted.

Comolho

In which,

1 bug was rejected,

1 was rewarded as HOF,

4 was still in triaged state 🤞

stats of bugs submitted

In this platform I submitted bugs in different severity levels like

P1: 1

P2: 1

P3: 4

Severity levels

5. Other platforms:

I have also accounts on other platforms like Yeswehack, Immunify, hackenproof but I never ever hunt on this platform but I will be also hunting on this platform in future 😏

I also submitted bugs to bugbountys, openbugbounty Not that much bugs but I have submitted 1 bug in both the platform but till now No response from them 🥺.

3. Self Hosted

I have submitted lots of bugs to self hosted programs and let’s start with some achievements 🎉

1. ₹₹₹ for finding P4 in self hosted

write-up read here 👇

🎉 My First Bounty of ₹₹₹ 🎉

2. HOF for finding IDOR

Write-up read here 👇

How I Found 3 Bugs in a Single Day

3. HOF for finding Stored xss

write-up read here 👇

My First Encounter with Stored XSS 🕵️‍♂️💣

4. Acknowledgement from NCIIPC

Write-up read here 👇

🚀 ISRO: YouTube Broken Link Hijack 🐞

Now let’s see some numbers:

Total bugs submitted: 24

Awarded: 4

Still in Triaged state: 3

Informative: 2

Not Applicable: 6

No Response: 9

4. Total bugs of 2024?

Total submitted bugs: 61 (Including all self hosted and on platforms)

Rewarded: 8 HOF + 1 bounty 🎉

Triaged: 9 🤞

Not Applicable: 43 (This include all NA, Duplicate, Out of scopes, No Response, Informative) 😩

5. Bugs I reported?

=> IDOR

Finding IDOR Vulnerabilities: Key Endpoints and Resources

=> XSS

Alert: Reflected XSS Detected 👽

=> HTML Injection

Cracking ATO via Email HTML Injection

=> Password Reset Bugs

Password Reset Flaws: Key Methods for Finding Vulnerabilities

=> CSRF and Application Level Dos

Chaining Application-Level DoS with CSRF: A Sneaky Exploit to Block User Logins

=> File Upload bugs

Bypassing File Upload Defenses: My Journey from Simple Bypass to Near RCE

=> Mass PII leak

💥 My First Critical Bug: Exposing 350K+ PII! 🛡️

=> Admin Panel Access

Admin Panel Access via Default Credentials 🤩

=> Broken Link Hijack

=> Failure to invalidate session after Password Change

=> No Rate Limits

=>Open Redirects

=> Sensitive Data Exposure

So this is the end of year in bugbounty from Feb to Dec around 11 months and I have also learn new things and I am still trying to improve my self and the next year will be more better 😉 and try to hunt on BBP to earn some cash to help my family 🙂.

Best wishes to all my readers 🤗 you will achieve all things what you want in your life ❤. My little suggestion “don’t compare yourself with others compare it with yourself” so that you are able to know where you are and how far you are from your dream and how you will reach there.

My little request to you, Take a break and see what you have done in this year and what you achieve and either comment your stats in the comment or write it somewhere and come back after year and see how you improve yourself from year to year 📈. Thank you for reading I will see you in next one see you 👋